Upstream information

CVE-2023-30609 at MITRE

Description

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.

SUSE information

Overall state of this security issue: New

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  National Vulnerability Database
Base Score 5.4
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Impact None
Integrity Impact Low
Availability Impact Low
CVSSv3 Version 3.1
No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • element-desktop >= 1.11.30-1.1
  • element-web >= 1.11.30-1.1
Patchnames:
openSUSE Tumbleweed GA element-desktop-1.11.30-1.1
openSUSE Tumbleweed GA element-web-1.11.30-1.1


SUSE Timeline for this CVE

CVE page created: Wed Apr 26 00:01:10 2023
CVE page last modified: Sat Apr 29 01:14:19 2023